They should perform a control review of the tools, models, and data paths the agent can reach, then align approvals to the highest-risk action in the chain. That means defining guardrails for search, file handling, image generation, video rendering, and provider switching before broad rollout.
Why This Matters for Security Teams
Agentic chat changes the risk model because the interface is no longer just conversational. When the default UI can search, write files, generate images, render video, switch providers, or invoke tools, every prompt becomes a potential control decision. That means approval cannot stop at the chat layer. It has to extend to the highest-risk action the agent can chain together.
This is why current guidance suggests treating agentic chat as an execution surface, not a productivity feature. The practical question is not whether the model can answer safely, but whether the agent can be pushed into unsafe data paths, unexpected tool calls, or privilege escalation through a benign-looking request. NHIMG’s OWASP Agentic Applications Top 10 and the OWASP Top 10 for Agentic Applications 2026 both reinforce that tool access, data access, and autonomous action must be governed together. NIST frames the same problem through AI risk management, which emphasises mapped risks before deployment.
In practice, many security teams encounter agentic misuse only after the first broad rollout exposes tools the approval process never actually covered.
How It Works in Practice
Before deploying agentic chat as the default interface, organisations should inventory the full action chain the agent can reach and then rate the chain by its most dangerous step. If the agent can search internal systems, open files, generate media, hand off to another provider, or trigger downstream automation, each step needs a control owner and a clear approval rule. The control review should include the model, the orchestration layer, the tool gateway, the data connectors, and any provider-switch logic that could change trust boundaries mid-session.
Practitioners should then move from broad, static permissions to runtime checks. That usually means context-aware authorisation, just-in-time approvals, short-lived secrets, and explicit policy gates for each tool invocation. The AI Agents: The New Attack Surface report shows why this matters: 80% of organisations report agents have already performed actions beyond their intended scope, including accessing unauthorised systems and revealing credentials. That kind of behaviour is exactly why the default interface must be constrained before it is made ubiquitous.
A practical rollout pattern is to separate read-only tasks from write-capable tasks, keep provider switching behind policy, and require human approval for any action that can persist data, move secrets, or alter permissions. Where the agent is used for customer-facing or regulated workflows, current guidance suggests logging the full prompt, tool call, policy decision, and resulting action so the chain can be audited later. NIST AI Risk Management Framework and CSA MAESTRO agentic AI threat modeling framework both support this kind of pre-deployment mapping and control selection. These controls tend to break down when a single chat interface can pivot across multiple tenants, providers, and sensitive data sources because the effective blast radius becomes hard to contain in real time.
Common Variations and Edge Cases
Tighter approval controls often increase latency and operational overhead, so organisations have to balance user experience against blast-radius reduction. That tradeoff is especially visible when agentic chat is used for internal search, software operations, or content generation at high volume. Best practice is evolving, but there is no universal standard yet for how much autonomy is acceptable by default.
One common edge case is provider switching. If a workflow can silently move from one model provider to another, the security review has to cover both the primary and fallback paths, including data residency, retention, and logging differences. Another is media generation: image and video tools may introduce separate policy requirements for export, watermarking, or brand risk that do not exist in text-only chat. A third is delegated access, where an agent appears harmless until it inherits a user’s rights and can then chain those rights into broader retrieval or write actions.
NHIMG’s LLMjacking: How Attackers Hijack AI Using Compromised NHIs underscores the need to review credential exposure alongside interface design, because compromised NHIs can turn an ordinary chat deployment into an attacker-controlled execution layer. For teams formalising governance, the OWASP NHI Top 10 remains a useful lens for mapping where access, secrets, and tool reach intersect. The answer is not to block agentic chat outright, but to launch it only after the highest-risk action paths are understood, constrained, and continuously audited.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agentic tool misuse is the core risk when chat becomes the default interface. |
| CSA MAESTRO | T1 | MAESTRO covers threat modeling for agent autonomy, tool access, and chained actions. |
| NIST AI RMF | AI RMF applies to pre-deployment risk mapping and ongoing governance of agentic systems. |
Use AI RMF to define risks, controls, monitoring, and accountability before rollout.
Related resources from NHI Mgmt Group
- What are the core risks identified by the OWASP Agentic Top 10?
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- How should security teams govern machine identity credentials in agentic AI environments?
- Where should practitioners go deeper on agentic application risks?
